Cybersecurity: Why We Can’t Get It Right

Asymmetrical Hybrid Warfare

The most significant world event of this century.

The U.S. is Losing the Cybersecurity Battle

Cybersecurity is the most important and least understood agenda item for senior leadership and staff in every sector – business, government, the military, and academia. While we continually increase spending on failed cybersecurity strategies, the United States continues to lose the battle by a wider margin each year because we’ve got it wrong.

According to a recent study of 2,000 large enterprise security of cers “about one-third of targeted attempts to breach corporations’ cyber defenses succeed but three- quarters of executives remain unaccountably con dent in their security strategies.” The report further states: “Each year, businesses spend an estimated $84 billion to defend against data thefts that cost them about $2 trillion – damage that could rise to $90 trillion a year by 2030 if current trends continue.”1

Underscoring the enormous size of this mismatch, Cybersecurity Ventures projects that $1 trillion will be spent globally on cybersecurity between 2017 and 2021.2 If this huge investment is to have a positive return, cybersecurity strategy in every organization must incorporate accurate and timely geopolitical intelligence. Our adversaries spent decades getting to know us better than we know ourselves. America’s senior leadership must act to quickly level the eld.

Massive Annual Losses Leading to Permanent Damage

Flawed cybersecurity strategies and losses resulting from economic espionage result in a shared impact. When an organization experiences a breach, both current and future generations are negatively affected. The U.S. economy, built on innovation, cannot sustain annual losses of $5 trillion in total value (approximately one-third of the U.S. gross domestic product (GDP)) without permanent negative impact. Annual losses that great are tantamount to war. In this case, an economic war. And, when at war, you are required to think and act differently.3

The “New” Global Competitive Model: The Modern Battlefield is Everywhere

These losses are attributable to several factors. First, cyber operations are one of thirty-eight methods in use today in the new global competitive model. This new model is neither traditional or friendly, nor is it employed in good faith. It is rooted in the methods of Asymmetrical Hybrid Warfare (AHW) and Unrestricted Warfare (UW; warfare without any rules), also called offset warfare. For example, China employs these methods in a relentless quest for global domination. China spent the last three decades perfecting a national policy that states war is no longer “using armed forces to compel the enemy to submit to one’s will” but “using all means, including armed force or non-armed force, military and

non-military, and lethal and non-lethal means to compel the enemy to accept one’s interests.” 4,5

Economic Warfare

Economic warfare is another AHW method. Under an economic warfare regime, adversaries strategically and steadily acquire assets, companies, infrastructure, innovation, sensitive data and natural resources to eliminate or limit future competition from the West. This is a daily occurrence. Recently, two significant Chinese transactions were reported. Genworth Financial was acquired by China Oceanwide and 25% of Hilton Worldwide was acquired by China’s HNA Group. At the same time, China places strict limits on foreign investment or acquisition of Chinese assets. The result? The United States is no longer in a position of power on the global competitive stage.

Every organization must adopt strategies and defenses to meet the AHW challenge with respect to cybersecurity and data protection.

The Game Changed Long Ago and We Were Oblivious

Most organizations employ a 1990s-era cybersecurity strategy. Our adversaries have been executing a 21st century strategy, AHW, for three decades. Our current defenses remain focused on failed notions of perimeter protection and are reactive rather than proactive. Our cybersecurity strategies lack a comprehensive intelligence analysis that determines who our adversaries are, their motivations, who and what they are targeting and how they adapt. Our adversaries have an insatiable thirst for intelligence and sensitive information, and they will use any and all methods (e.g., cyber, insider threat, and traditional espionage) to obtain it.

In response to the threat, the American cybersecurity industry has offered little tangible success. Over the past seven years, the venture capital community has helped launch new cybersecurity software or hardware products every calendar day, averaging 350 products annually. This has created a confusing glut of competing products. As a result, dependencies, based on vendors’ claims about

their cybersecurity products being the “silver bullet,” are created. Unfortunately, experience has demonstrated that there are no cybersecurity silver bullets.

The mistake is characterizing cyber as a purely issue. Cyber is human problem. One study found that 99.7 percent of organizations are concerned about internal security threats.6 Every organization must maintain an aggressive, accountable, 360 degree insider threat program. It takes only one malicious or careless insider to bypass all the implementations of expensive cybersecurity.

Critical Impact of Intelligence

A successful cybersecurity strategy must include ongoing intelligence collection and analysis followed by the integration of the processed information into cybersecurity operations. Senior leadership must be privy to information about adversary nation-states, hackers, and DarkNet/ DarkWeb activities. The DarkNet is a signi cant collection target. It is twenty times larger than the open Internet and is home to malicious activity including attack planning, sourcing of attack methods and the sale of stolen data and assets. Active intelligence and DarkNet surveillance can signi cantly mitigate cyber risk.

Inability to Quantify Losses

There is no standard mechanism to measure breach severity or the cumulative effect of multiple breaches. There are many contributing factors. Our adversaries plan and execute data theft and traditional espionage to so that the damage is just below the point where action is taken. There is also a lack of accountability across all levels of the public and private sectors, leading to an epidemic of denial and complacency. Culturally, we resist reporting weaknesses for fear of retribution or loss of employment. The result is that the true state of of our cybersecurity posture remains unknown. These factors are endemic.

Responsibilities of Senior Leadership

1. Strategic Transformation – Organizations must transform their global competitive strategy and its underpinnings to compete in an AHW environment. This includes all private sector, government, military and academic organizations. The transformation must include a cybersecurity program focused on adversary intelligence, effective insider threat and data protection programs and continuous monitoring of the DarkNet.

2. Know Your Adversaries – Senior leadership and staff must become conversant with adversary tactics, techniques and methods. Leadership must take measures to end business relationships with proven adversaries when their AHW intentions are con rmed.

3. Transform Your Culture – Enforce a security culture emphasizing proper classi cation, handling and access control of sensitive data and intellectual property throughout the organization and supply chain. Include cyber hygiene training for all employees, their families, contractors, vendors and suppliers. There must be accountability and consequences at all levels, including senior leadership, staff, contractors, suppliers and partners. Regularly conduct unbiased red-team exercises to identify weaknesses throughout the organization and supply chain.

2. Establish a Global Competitiveness Task Force with oversight an authority to approve/reject any foreign transaction deemed detrimental to U.S. competitiveness. Specifically, this Task Force should focus on AHW transactions.

Conclusion

Cybersecurity is no longer “business as usual.” It must be treated by all organizations as part of an overall AHW strategy against the United States. If not addressed immediately and aggressively, experts forecast it will become the most signi cant world event of this century.

Every sector and organization must quickly adapt and transform to compete in this new global competitive model. Ultimately, the American way of life is quietly, signi cantly, and permanently eroding. It is the responsibility of every American and each of our allies to become informed and to collectively take action.